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ME: High-level overview 








e Management Engine (or Manageability Engine) is a 
dedicated microcontroller on recent Intel platforms 

® In first versions it was included in the network card, later 
moved into the chipset 

® Shares flash with the BIOS but is completely independent 
from the main CPU 

® Can be active even when the system is hibernating or 
turned off (but connected to mains) 

e Has a dedicated connection to the network interface; can 
intercept or send any data without main CPU's knowledge 











ME: High-level overview 





Micro-Controller 
(Located in Graphics and Memory Controller Hub Firmware) 


CPU Controller Hub E Intel® Active Management Technology Applications 
(Asset Management, Third-Party Data Store, Remote Management, etc.) 
Software Agents Micro-Controller 


Core Management 
Services Services Network 
(Power Manager. (Event/Alerting Services 
Non-Volatile Manager, circuit- (HTTP, TCP/IP, 
Memory Manager, breaker control, TLS, etc.) 
etc.) etc.) 


Admin 
Services 
(Configuration, 
Provisioning, ACL 
Management, etc.) 


Management Engine Hardware Abstraction Layer 


ThreadX Kernel 


Host 
Interfaces 
(IDE-R, SOL, 
HECI) 
PCI entities... Breaker Filters) 





Credit: Intel 2009 











ME: High-level overview 




















Communicating with the Host OS and network 


Network 
Server 


SOAP 
HTTP 
TLS 
TCP/IP 





e HECI: Host Embedded Controller Interface; 
communication using a PCI memory-mapped area 


e Network protocol is SOAP based; can be plain HTTP or 
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Some of the ME components 


Active Management Technology (AMT): remote 
configuration, administration, provisioning, repair, KVM 
System Defense: lowest-level firewall/packet filter with 
customizable rules 

IDE Redirection (IDE-R) and Serial-Over-LAN (SOL): boot 
from a remote CD/HDD image to fix non-bootable or 
infected OS, and control the PC console 

Identity Protection: embedded one-time password (OTP) 
token for two-factor authentication 

Protected Transaction Display: secure PIN entry on a 
remote server not visible to the host software 














ME: High-level overview 























Intel Anti-Theft 


PC can be locked or disabled if it fails to check-in with the 
remote server at some predefined interval; if the server 
signals that the PC is marked as stolen; or on delivery of a 
"poison pill" 

Poison pill can be sent as an SMS if a 3G connection is 
available 


Can notify disk encryption software to erase HDD 
encryption keys 

Reactivation is possible using previously set up recovery 
password or by using one-time password 
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Sources of information 


® Intel's whitepapers and other publications (e.g. patents) 
® Intel's official drivers and software 
» HECI driver, management services, status checkers 
2 AMT SDK, code samples 
» Linux drivers and supporting software; coreboot 
* BIOS updates for boards on Intel chipsets 
» Even though ME firmware is usually not updateable 
using normal means, it's usually still included in the 
BIOS image 
» Sometimes separate ME firmware updates are 
available too 
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Sources of information 
® Intel's ME Firmware kits are not supposed to be distributed 


to end users 


e However, many vendors still put up the whole package 


[PDF] Intel® Management Engine System Tools User Guide 
ftp-//mx2.kristal.ru/.../System9620Tools9620User9?620Guide.pdf 


File Format: PDF/Adobe Acrobat - Quick View 
System Tools User Guide for. Intel& Management .... Flash Image Tool (FITC) ...... 
í—————————————— 16. 3.1. System Requirements . 


Index of /Driver/Acer Aspire 4738/AutoRun/DRV/Intel Turbo Boost... 
110.138.195.161/Dnver/.../AutoRun/.../Flash%20lmage%20T ool/ 


5 Jan 2012 — … Aspire 4738/AutoRun/DRV/Intel Turbo Boost Manageability Engine 
Code/ MOD01D004C000NO000L/Tools/System Tools/Flash Image Tool/ ... 


Gateway ZX4850 Intel IAMT {pañsep v.7.0.0.1144 nna Windows 7 ... 
driver.ru/?aid-1026521210333254de 1090799368 

… IAMT Intel 7.0.0.1144 W7x64/Tools/System Tools/Flash Image Tool/fitc exe 157 
2010-12-20 17:46 iAMT Intel 7.0.0.1144 W7x64/Tools/System Tools/Flash ... 


ACER Veriton M290 Intel iAMT J1paitgep v.7.0.0.1144 nna Windows 7 
driver.ru/?aid-10243816228895cec42e66ac5c8d 

... Tools/Flash Image Tool/fitc.exe 157 2011-02-22 11:42 iAMT Intel 7.0.0. 

1144 W7x86x64/Tools/System Tools/Flash Image Tool/fitc.ini 1481 2011-02-22 11:42 


instead of just the drivers, 
or forget to disable the 
FTP listing 


With a few picked keywords 
you can find the good stuff :) 
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ME: Low-level details 








e The SPI flash is shared between BIOS, 
ME and GbE 

9 For security, BIOS (and OS) should not 
have access to ME region 

e The chipset enforces it using 
information in the Descriptor region 

9 The Descriptor region must be at the 
lowest address of the flash and contain 
addresses and sizes of other regions, 
as well as their mutual access 
permissions. 


Intel® ME 
Region 2 


Flash Descriptor 
Region 0 

















ME: Low-level details 





» ME region itself is not monolithic 


» It consists of several partitions, and the table at the start” 
describes them 


Partition table header 
CM 25:3) ANS 64 74/8 9 A 


B C D E E 
00 PSI NumEntries Ver Entry HdrLen Checksum FlashCycl FlashCycl 
Type elifetime  eLimit 


10 | UMASize Flags 


Partition table entry 
(23 A5 6 LAINE EO A 


SA PES 
00 Name Owner Offset Length 
10 StartTokens MaxTokens ScratchSectors Flags 


*Starting from ME 3.x the table begins at offset Ox10 (table version 2.0) 








(c) 2012 Igor Skochinsky 


12 


ME: Low-level details 


Y 














===ME Flash Partition Table=== 
NumEntries: 10 

Version: 2.0 

EntryType: 10 

HeaderLen: 30 

Checksum: OF 
FlashCycleLifetime: 7 


FlashCycleLimit: 100 
UMASize: 16 
Flags: FFFFFE07 


EFFS present: 1 
ME Layout Type: 3 











Partition type (Flags&Ox7F ): 





Partition: 
Owner: 
Offset/size: 
TokensOnStart: 
MaxTokens: 
ScratchSectors: 
Flags: 

Type: 


DirectAccess: 


Read: 
Write: 
Execute: 
Logical: 
WOPDisable: 


ExclBlockUse: 


'FOVD' 
' KRID' 
00000400/00001C00 
00000001 
00000001 
00000000 
0783 
3 (Generic) 


1 
1 
1 
1 
© 
© 
© 
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ME: Low-level details 





00 


10 


20 


70 


80-17F 


180 


280 





» Code partitions have a header called "manifest" 


» It contains versioning info, number of code modules, but 
also an RSA signature of the whole partition 


» Format of the header is very close to TXT AC modules 


od 2 Sea eS Mee ES EOS AN BANC D SEDE 
Type SubType HdrLen HdrVer Flags 
Vendor Date Size Tag 
NumMods Version Reserved==> 
<==Reserved KeySize Reserved 
RsaPubKey 
RsaPubExp RsaSig==> 
<==RsaSig PartitionName 





(c) 2012 Igor Skochinsky 





ME: Low-level details 








An example code partition header 








Module Type: 4, Subtype: @ 


Header Length: 
Header Version: 
Flags: 

Module Vendor: 

Date: 

Total Manifest Size: 
Tag: 

Number of modules: 
Version: 

Unknown data 1: 


OxA1 (0x284 bytes) 

1.0 

0x00000000 [production signed] [production flag] 
0x8086 

20120705 

OxFD (0x3F4 bytes) 

$MN2 

2 

8.1.0.1265 

[ƏL, 1L, 2L, OL, OL, OL, OL, OL, OL, OL, OL, ØL, 


OL, OL, OL, OL, OL, OL, OL] 


Key size: 

Scratch size: 

RSA Public Key: 

RSA Public Exponent: 
RSA Signature: 
Partition name: 
Unknown data 2: 





0x40 (0x100 bytes) 
0x01 (0x4 bytes) 
[skipped] 

17 

[skipped] 

MDMV 

[0L, ØL] 
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ME: Low-level details 


— i 

















e The format of module headers depends on the version 
(header tag $MAN or $MN2) 

* Module headers include module name, hash, sizes 
(compressed and uncompressed), flags and runtime info 
(load address, entrypoints) 


* Modules can be stored uncompressed, or compressed 
with LZMA or Huffman 











Header tag: $MME 

Module name: JOM 

Hash: AC A3 [...] C1 6c 

Offset: 0x00015F7A 

Data length: Ox00019F6D 

LoadBase: 0x200B1000 

Flags: 0x0012D42A 
Power Type: POWER TYPE MO ONLY (1) 
Compression: COMP TYPE LZMA (2) 
API Type: API TYPE KERNEL (2) 














ME: Low-level details 














e There have been two generations of the processor core, 
and corresponding changes in firmware layout 





Core ARC Tangent-A4 ARC Tangent-AS(?) 


Manifest tag $MAN $MN2 
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ME: Low-level details 


=" 














The OS running on the chip is ThreadX RTOS from 
Express Logic 

OS provides APIs for managing threads (tasks), 
semaphores, message queues, event flags, timers, 
memory allocations etc. 

The ME firmware wraps those APIs in a module called 
KERNEL, and uses it from other modules (via tables of 
pointers). 

Express Logic provides a demo version (binary only) of 
ThreadX for ARC, which helps in identifying APIs in ME 
Unfortunately Gen2 uses the Huffman compression 
(which | have not figured out yet) for the KERNEL :( 

So the going is somewhat slow for the newer firmwares 














ME: communications 


= 











If AMT option is enabled, ME listens for packets on several ports 
(e.g. 16992 for HTTP and 16993 for HTTPS) for HTTP requests from 
browsers (for Web UI) or SOAP requests. 

Since it has a separate IP and MAC for the OOB interface, this does 
not interfere with the host 

ME is also exposed by the chipset as a PCI device to the CPU, and 
can exchange messages with it using Host Embedded Controller 
Interface (HECI) protocol over a memory-mapped IO area (MMIO) 
The protocol itself is described in public documentation [DCMI-HI], 
but the higher-level messages are not well documented 

ME can expose various clients to the host, each identified by a 
unique UUID or a numeric ID, and host can talk to each client 
independently 

Several core clients have fixed low IDs, the rest gets dynamic 
numbers 
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ME: communications 























$ An example of enumerating clients (FreeBSD): 








hecið: 


<Intel 82G33/G31/P35/P31 Express HECI/MEI Controller> mem 


0xd0526100-0xd052610f irg 16 at device 3.0 on pcið 


hecie: 
hecie: 
hecie: 
hecie: 
hecie: 
hecie: 
hecie: 
hecie: 
hecie: 
hecie: 
hecie: 
hecie: 
hecie: 
hecie: 


[...] 


hecio: 
hecid: 
hecid: 


using MSI 

[ ITHREAD | 
found ME client at address 0x02: 

status - 0x00 

protocol name(guid) - BB875E12-CB58-4D14-AE93-8566183C66C7 
found ME client at address 0x03: 

status - 0x00 

protocol name(guid) = A12FF5CA-FACB-4CB4-A958-19A23B2E6881 
found ME client at address 0x06: 

status - 0x00 

protocol name(guid) = 9B27FD6D-EF72-4967-BCC2-471A32679620 
found ME client at address 0x97: 

status - 0x00 

protocol name(guid) = 55213584-9A29-4916-BADF -@FB7ED682AEB 


found ME client at address 0x27: 
status = 0x00 
protocol name(guid) = 05B79A6F-40628-4D7F-899D-A91514CB32AB 
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ME: communications 








» A list of some of the known clients, gathered from headers and 
other sources 


Fixed ID GUID Name 
8e6a6715-9abc-4043-88ef-9e39c6f63e0f MKHI 

8 42b3ce2f-bd9f-485a-96ae-26406230b1 ff ICC 

9 d2ea63bc-5f04-4997-9454-8cadf4e3ef8a Thermal 
309dcde8-ccb1-4062-8f78-600115a34327 Firmware Update 
05b79a6f-4628-4d7f-899d-a91514cb32ab Watchdog 
6733a4db-0476-4e7b-b3af-bcfc29bee7a7 LME 
12180028-b4b7-4b2d-aca8-46e0ff65814c PTHI (AMTHI) 
3d98d9b7-1ce8-4252-b337-2eff106ef29f LMS 
6b5205b9-8185-4519-b889-d98724b58607 QST 
0f908627d-13bf-4a04-0b91f-0a64e9245323d CLS 
3c4852d6-d47b-4f46-b05e-b5edc1aa430a TDT (AT-p) 








(c) 2012 Igor Skochinsky 


ME: communications 














One of the main users of the HECI interface is the BIOS 


It has to allocate the UMA memory for ME, protect it, and notify 
ME about it 


It also needs to tell ME about various events, including End-Of- 
POST (EOP) 


If not disabled at manufacturing time, BIOS can also ask ME to 
temporarily open its flash region for reading and writing; this 
functionality is intended to allow ME region updates, and is 
called Host ME Region Flash Protection Override (HMRFPO) 


An optional module inside BIOS, MEBx (ME BIOS Extension) 
provides a Ul for the user to configure various ME options. It 
also uses HECI to communicate with ME 


Thus, reverse-engineering BIOS is a good source for info about 
ME communications 
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ME: Security 
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ME: Security 














® ME includes numerous security features 


® Code signing: all code that is supposed to be running on the 
ME is signed with RSA and is checked by the boot ROM 





“During the design phase, a Firmware Signing Key (FWSK) public/private pair is 
generated at a secure Intel Location, using the Intel Code Signing System. The 
Private FWSK is stored securely and confidentially by Intel. Intel AMT ROM 
includes a SHA-1 Hash of the public key, based on RSA, 2048 bit modulus 
fixed. Each approved production firmware image is digitally signed by Intel with 
the private FWSK. The public FWSK and the digital signature are appended to 
the firmware image manifest. 


At runtime, a secure boot sequence is accomplished by means of the boot ROM 
verifying that the public FWSK on Flash is valid, based on the hash value in 
ROM. The ROM validates the firmware image that corresponds to the manifest's 
digital signature through the use of the public FWSK, and if successful, the 


system continues to boot from Flash code." 











From "Architecture Guide: Intel& Active Management Technology", 2009 
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ME: Security 


— 















e ME requires some RAM to put unpacked code and 
runtime variables (MCU's own memory is too limited and 
slow) 


e This memory is reserved by BIOS on ME's request and 
cannot be accessed by the host CPU once locked. 


15:14 Keserved| 


EI Enable for Intel® ME memory region 


o fawo] o [ét Lock for Intel ME Sas Nc region base/mas 
MESEGMASK and dam morari cannot be 
changed once this bit is set. 
o fav] Tr 
9$ A memory remapping attack was demonstrated by 
Invisible Things Lab in 2009, but it doesn't work anymore 
® Cold boot attack is probably still possible, though... 


eo An open question: how does it work with the integrated 
. memory controller on the newer chips? 
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ME: Security 











Flash access is limited by the chipset according to the 
flags in the descriptor region (start of the flash chip), and 
normally ME region is not accessible to others 

Since the descriptor region itself is marked read-only at 
end of manufacturing, changing permissions is not trivial 
One obvious solution is to use a hardware flash 
programmer to write to the chip directly, bypassing CPU 
and chipset. This might require unsoldering the chip, 
however 


e Another option is the HMRFPO message which asks ME 





to unlock the flash temporarily, but it's tricky to use 
because it only works before End-Of-POST 
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Getting along with the BIOS 





T 


Post to the ME 


€ 


e 


e 





EB view 1.97E409E6 - Far —— 


004E 002F 
0075 0062 
0000 004D 
0079 0073 
006C 0070 
0066 0020 


0065 0073 
006E 0064 
0073 0074 
0067 0065 
0045 0078 
004D 0045 
0063 0075 


0041 0000 
0073 0079 
0045 0020 
0074 0065 
0000 0045 
0050 006F 
0073 0061 
0020 006F 
0020 004D 
0020 0048 
0065 0063 
0042 0078 
0074 0065 


0045 
0074 
0075 
0020 
0064 
0074 
0065 
0020 
0073 
006C 
0074 
0045 
004D 


| decided to find a place where the BIOS sends End-Of- 


Extracted BIOS with 7-zip (UEFI Firmware Filesystem) 
Searched for "Post", both ANSI and Unicode 
A strange file appears... 


n N/A ME 
Subsyst 
em ME Su 
bsystem 
Help End 
of Post 
Message 
End of 
Post Mes 
sage Hel 
p Execut 
e MEBx E 
xecute M 











(c) 2012 Igor NN 





ES | 
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Getting along with the BIOS 


AV 











e The file contains bunch of Unicode strings, first in English 
then in couple of other languages 


9 The strings refer to the BIOS setup items 


e File appears next to a .efi executable, meaning they were 
two sections of the flash file "Setup". 


® So obviously this is a kind of a resource file for the BIOS 
setup Ul 


e Turns out that (U)EFI provides a standard way to encode 
strings and forms for UI, called HII (Human Interface 
Infrastructure) 


e And someone already wrote tools[1] to parse them... 


[1] http://marcansoft.com/blog/2009/06/enabling-intel-vt-on-the-aspire-8930g/ 
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Getting along with the BIOS 


— 4 

















e After some hacking of the scripts (apparently there were 
some updates in the format) dumped a list of strings and 
forms 


e And here's the option we need: 





Suppress If 

EQ [@xdb<1>] == QOxð 

One Of [@xdc<1>] u'End of Post Message' 
\Help text: u'End of Post Message Help' 
Option 'Disabled' = 0x0 Flags 0x10 Key 0x0 
Option 'Enabled' = 0x1 Flags 0x13 Key 0x0 
End One Of 

End If 











e However, it doesn't seem to be present in the actual UI? 
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Getting along with the BIOS 








— 4 


This setting is a part of a form named ME Subsystem’ 


ocrolling a bit around, we find: 


Suppress If 
LIST [@xdb<1>] in (0x0,0x1) 

Reference: "ME Subsystem' Form ID 0Ox1a Flags 0x0 Key 0x0 
\Help text: u'ME Subsystem Parameters" 

End If 














® So, the form is not shown if the byte in the Setup variable 
at offset OxDB is either O or 1. 

One solution is to patch the form bytecode, pack the file 
back into the BIOS (updating the checksums) and flash 
the new BIOS 

But this is rather involved and risky. Is there an easier 
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Getting along with the BIOS 














— 


e Examining and editing UEFI variables is rather awkward 
but doable with the EFI shell and command "dmpstore" 





0.12 34 56 7 8 9 A B C D EF 
000000d0 00 00 00 00 00 00 01 00 00 00 00 O1 01 00 00 O1 











® Changing EFI vars is much easier than patching actual 
files in the FFS. Also, no need to reflash. 

® Since neither 0 nor 1 will show the form, let's put 
something else in there... for example, OxFF 





» dmpstore Setup -s temp.bin 
» hexedit temp.bin 

> dmpstore Setup -1 temp.bin 
» exit 











9 Did it work? 
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Getting along with the BIOS 


CPU Configuration 

system Agent Configuration 
PCH Configuration 

SATA Configuration 

USB Configuration 

ME Subsystem 

Chipset Reference Board 
Onboard Devices Configuration 


APM 


Lo 


Advanced 


ME Subsystem > 


ME Subsystem 

ME Temporary Disable 
ME Temporary Disable 
End of Post Message 


Execute MEBx 


> Integrated Clock Chip Configuration 


Enabled 





Getting along with the BIOS 


=, 











| * Now we can change the ME options and disable End-Of- 

| POST 

* One minor issue: when you return from the "ME 
oubsystem" form, the menu item disappears :) 


e This happens because the byte OxDB gets set to 1 (or O, if 
you disable ME) again, triggering the "Suppress If" 
opcode 

® So if you need to go there once more, you need to do the 
dmpstore/hexedit trick again 

® By the way, instead of going through the menus we could 
directly set the necessary value in the Setup variable (byte 
at offset OXDC) 
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Getting along with the BIOS 





» Rebooting after changing "End of Post Message" to 


"Disabled": 





Range 
Range 
Range 
Range 
Range 
Range 
Range 
Range 
Range 
State: 





Register 
Register 
Register 
Register 
Register 
Register 
Register 
Register 
Register 
Register 


Get flash master region access status... 

Host Read Access to ME: 

Host Write Access to ME: 
ID #1: 
ID USCC #1: 
BIOS USCC: 
Range 


Base #0 0x0 
Limit #0 0x0 
Base #1 0x0 
Limit #1 0x0 
Base #2 0x0 
Limit #2 0x0 
Base #3 0x0 
Limit #3 0x0 
Base #4 0x0 
Limit #4 0x0 


done 
Disabled 
Disabled 
EF4016 
20052001 
20052005 


Pre Boot 
00000000-0000-0000-0000-000000000000 











(c) 2012 Igor Skochinsky 
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Getting along with the BIOS 


= 











e Okay, we have our ME in desired state, what now? 





The specifics of the HMRFPO message are not available 
in public documentation 

However, some BIOS updates exist that allow updating 
ME version from 7.0 to 8.0 

ME cannot update itself to the next major version, so this 
must be done by external (to the ME) code 

From reading the "Bios ME7 to ME8 update SOP" for MSI 
boards it's clear that the ME update happens on the first 
boot of the new BIOS 

So the code must be there somewhere... 
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Getting along with the BIOS 


= 











® Several days of reversing later... 


Found the new ME partition (stored as a file in the UEFI 
volume) 

Found the code that does the ME update ("Updating BIOS 
ME, please wait") 

Found code which seems to talk to ME and send 
commands not mentioned in documentation 

Found code in ME which handles these messages 
(probably) 

Converted an AMT SDK sample to send similar 
commands 


e Unfortunately, didn't work on my test hardware (ASUS) 





However, it was a good learning experience! 
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A different approach 














æ After I went through this, I accidentally found a mention that 
the newest BIOS for my board contains ME 8.0 (this fact was 
not mentioned in Asus' release notes) 


® As a nice side effect, this update completely opens the ME 
region! 

® So now I can read and write the ME region freely (using 
Intel's FPT) 

® | can also analyze the update process in more detail and 


figure out how it works around the ME lock on the old 
version 
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Poking the flash 


= 9 











® One of the partitions in the ME region is "EFFS" 





It contains in turn other, virtual partitions with tags beginning 
with "NV" (non-volatile variables) and "BI" (block I/O), used 
by the software components of ME 

some of these variables are used to enable and disable 
various ME features which usually depend on the specific 
chipset model (a single ME binary is used on many 
configurations) 

For example, ME on my board includes modules TDT (Anti- 
Theft) and PAVP (Protected Audio/Video Path), but they're 
disabled in software 

| tried changing some obvious bits, but it seems it's not that 
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Results 














— 4 


® | have not managed to run my own rootkit on the ME (yet) 
* However, I've learned a lot about it and | hope to achieve it 


in future 
® Intel seems to have done a good job on security so far, but 
there's a lot of code in there (now up to SMB, compressed) 


® | made some tools that should help others in research: 
» ME ROM dumper/extractor 
® ARC processor module for IDA 
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ME dumper/extractor 




















e Written in Python 
® Supports parsing of the following formats: 
» Full SPI flash image (signature 5A A5 FO OF) 
» Separate ME region (signature $FPT) 
» Individual ME code module ($MN2 or $MAN) 
e Prints detailed header info 


® prepares LZMA-compressed modules for easy unpacking with 
/-Zip 
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ME 


dumper/extractor 














Header tag: 


Module name: 
Hash: 


$MME 
JOM 
FB 49 10 CB 94 C8 62 9D BE 53 BB 7A CF @C 


6A D4 1F F9 92 A7 AD 52 2A 55 FE F6 71 74 06 FO OC 64 


Unk34: 

Offset: 

Unk38: 

Data length: 

Unk44 : 

Unk48: 

LoadBase: 

Flags: 
Unknown BØ: 
Power Type: 
Unknown B3: 
Compression: 
Stage: 
API Type: 
Unknown B14: 
Unknown B15: 
Privileged: 


Unknown B17_ 
Unknown B20 


0x20157000 

0x0001198E 

0x00029000 

0x000133CA 

0x00029518 

0x00029518 

0x20159000 

0x0012D42A 
0 
POWER TYPE MO ONLY (1) 
1 
COMP TYPE LZMA (2) 
STAGE 8 (8) 
API TYPE KERNEL (2) 


19: 
21: 


HO A 
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ARC processor: objdump 











r 2 = 
cmd /k arc-elf32-objdump_arcompact.exe" -b binary -EL -m AR... ("MR 
NR — 


200f4a2a: 82 e7 0000e782 cmp s r15.7 
200f4a2c: 0000f494 bne s 0x200f4b54 





200f4a2e: 00008501 ld s r@,[r13,4] 
200f4a30: 0000e081 cmp_s r0,1 
200f4a32: f 2 8: 20cc8122 cmp.nz r0,4 
200f4a36: 0000f4b5 bne s 0x200f4b9e 


200f4a38: 0000d55e ld s r13,pcl,0x178 
200f4a3a: 6 26561501 add3 r1,r14,20 
200f4a3e: A 0000da01 mov s r2.1 
200f4a49: 25561dc0 add3 r0,r13,55 
200f4a44: 0a32fe4f bl 0x200f1474 


200f4a48: 9 7€ 00007039 mov s r0,r13 
200f4a4a: ) 20 06 20800506 add rO.r0,0x194 
200f4a4e: ] 0000d75a ld_s r15,pc1,0x168 
000071c9 mov s r1,r14 
21800b42 add ri,ri.173j 
0000da02 mov s re? 
0000dc64 mov S r12,100 
27021303 sub r3,r15,r12 
200f4a5e: 5 24420600 mov r4,24 
200f4a62: 08aefe4f bl 0x200f130c 


What are the results of underlined instructions? 
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ROM: 200F4A2A 
ROM: 200F4A2C 
ROM: 200F4A2E 
ROM: 200F4A30 
ROM: 200F4A32 
ROM: 200F4A36 
ROM: 200F4A38 
ROM: 200F4A3A 
ROM: 200F4A3E 
ROM: 200F4A40 
ROM: 200F4A44 
ROM: 200F4A48 
ROM: 200F4A4A 
ROM: 200F4A4E 
ROM: 200F4A50 
ROM: 200F4A52 
ROM: 200F4A56 
ROM: 200F4A58 
ROM: 200F4A5A 
ROM: 200FAAS5E 
ROM: 200F4A62 
ROM: 200FA4A66 
ROM: 200F4A6A 
ROM: 200F4A6C 
ROM: 200F4A70 
ROM: 200F4A7A4 
ROM: 200F4A78 
ROM: 200F4A7A 
ROM: 200F4A7E 


ARC processor: IDA 





r15, 2 

loc 200F4B54 

rð, [r13,4] 

ro, 1 

ro, 4 

loc 200FA4B9E 

r13, -dword 200FF44C 

r1, r14, (aHcisemaphore - 0x200F8CAC) # "HciSemaphore" 
F2, À 

rð, r13, (g HciSemaphore - Ox200FF44C) 
create semaphore 

rð, r13 

rð, r0, (g HcilnputQueue - Ox200FF44C) 

r15, -0x200FF648 

r1, r14 

r1, r1, (aHciinputqueue - 0x200F8CAC) # "HcilnputQueue" 
r2, 2 

r12, (0x200FF648 - unk_2@@FFSE4) 

r3, r15, r12 ; unk 200FF5EA 

r4, 0x18 

create queue 

rð, r13, (g HciHeciEventFlags - Ox200FF44C) 
ri. ris 


r1, r1, (aHcihecieventflags - 0x200F8CAC) # "HciHeciEventFlags" 


create event flags 

r0, r13, (g HciBufferQueue - Ox200FF44C) 

ri; Fis 

r1, r1, (aHcibufferqueue - 0x200F8CAC) + "HciBufferQueue" 
r2, 1 # message size 
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ARC processor: objdump 





0000b88f bset s r0,r0,15 
200f3092: 000023504 st s r0,[r13,16] 
200f 3094: 0000c00b 1d s r@,[sp,44] 
20043096: 5 00002506 st s rø,[r13, 24] 
200f3098: 0000c00a ld s r@,[sp,40] 
200f309a: 00002502 st s uM E EE 
| |200f3 309c: i 0000c001 ld s r@,[sp,4] 
1200f309e: 00002505 st s r@,[r13,20] 
COELI 000070e9 mov s rø,r15 
1200f3022: É BØ0ØØCcØac add s sp,sp,48 


| 
|200£3024: E 0505fecf b 0x200f0da8 


200F30a8: = 10942010 ld r16,[r16,148] 
200f 30ac: 0000c5e1 push_s r13 

0000e085 cmp s r0,5 
200f30b0: 0000db00 mov s r3,0 
200f30b2: 0080000d i 0x200f3130 


200f30b6: 27 3 2740738d r13,pc1,14 
200f30ba: 3 25 25331000 e rø,[r13,r9] 
200f30be: 14 7d 00007d14 E r13,r13,r0 
200f30c0: 7d 00007d00 E [r13] 
1200f30c2: 03 2b 2d 2f 2b032f2d g r45,r19,1p count 
O [main] arc-elf32-objdump arcompact 5920 exception::handle: Exception: ST 

ATUS ACCESS VIOLATION 

405 [main] arc-elf32-objdump arcompact 5920 open stackdumpfile: Dumping stac 
k trace to arc-elf32-objdump arcompact.exe.stackdump 


Program received signal SIGSEGV, Segmentation fault. 
0x61112b58 in strcpy () from /usr/bin/cygwin1.dll 
(gdb) 
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ARC processor: IDA 

















= — 

Foo E) ET [ D tenia Di [E sme DT] mee | | 
ROM: 200F 30A0 loc 200F30A80: # CODE XREF: fwu get version-*2Clj 
ROM: 200F 30A0 = fwu get versions441j 

^ ROM:200F30A0 034 mov re, r15 
^ ROM:200F30A2 034 add sp, sp, 0x30 
— = ROM: 200F30A4 004 b unk 200F8DA8 
ROM: 200F30A4 # End of function fwu get version 
ROM: 200F30A4 
ROM: 200F30A4 En nn ee a SS SENSE SOE 
* ROM: 200F 30A8 .long dword 20101094 
ROM: 200F 30AC 
ROM: 200F30AC 4 =============== S U BROUT I N E ===============-==---------------------- 
ROM:200F30AC 
ROM:200F30AC 
ROM:200F30AC sub 200F30AC: # CODE XREF: fwu get version*3CTp 
^ ROM:200F30AC 000 push r13 
* ROM:200F30AE 004 cmp rö, 5 
^ ROM:200F30B0 004 mov r3, © 
^ ROM:200F30B2 004 bhi loc 200F3130 
* ROM:200F30B6 004 add r13, pcl, (byte 200F30C2 - 0x200F30B4) 
* ROM:200F30BA 004 ldb.x Fö, [r13, Fð] 
* ROM: 200F30BE 004 add1 ris, ris; 
© RROM:200F30CO 004 Jj [r13] # switch 6 cases 
ROM: 200F30CO E re nn nm nn Ee 
* ROM:200F30C2 004 byte 200F30C2: .byte 3, Ox2B, Ox2D, Ox2F, Ox31, 0x35 
ROM: 200F 30C2 # DATA XREF: sub 200F30AC«ATo 
ROM: 200F 30C2 # jump table for switch statement 
ROM: 200F30C8 = —— 
ROM: 200F30C8 
ROM: 200F30C8 loc 200F30C8: # CODE XREF: sub 200F30AC«141j 
^ ROM:200F30C8 004 cmp r1, 0x15 + jumptable 200F30C0 case 0 
^ ROM:200F30CA 004 bhi loc 200F3114 # jumptable 200F30D8 cases 2,6-10,14-20 
* ROM:200F3eCE 004 add Fö, pcl, (byte 200F30DA - 0x200F30CC) 
* ROM:200F30D2 004 ldb.x r1, [FÖ,r1] 




















ARC processor module for IDA 














le Supports ARCTangent-A4 (older, 32-bit only instructions) 
and ARCompact (newer, mixed 32/16-bit ISA) 


e Tracks changes to SP register and creates local variables 
e Handles switch tables 

® Tracks register values to find more cross-references 

® Inlines constant pool loads (PC-relative) for convenience 
® |n general, makes life not constant pain 


® Not production quality yet, but hopefully will appear in the 
next version of IDA 
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Future work 


= J 











® Dynamic Application Loader 


» New feature in 7.1/8.0 firmware: load Java applets and 
run them inside ME 


Used for things like PIN entry UI and remote 
authentication 


» The applets provided by Intel are signed, but it's one more 
vector of entry... 


e EFFS parsing and modifying 
» Most of the ME state is stored there 
» |f we can modify flash, we can modify EFFS 
» Critical variables are protected from tampering but the 
majority isn't 
» Complicated format because of flash wear leveling 
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Future work 


= 

















| © Huffman compression 


» Used in newer firmwares for compressing the kernel and 
some other modules 


» Couldn't find decompression code; some whitepapers 
mention hardware decompression... 


» Still, Huffman is a pretty simple protocol, so should be 
doable from just the compressed data 


® ME < Host protocols 
» Most modules use different message format 
» A lot of undocumented messages; some modules seem to 
be not mentioned anywhere 
» Some client software has very verbose debugging 
messages in their binaries... 
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Future work 


E 








© BIOS RE 
» |n early boot stages ME accepts some things which are 
not possible later 


» Reversing BIOS modules that talk to ME is a good source 
of info 


» Even better would be to run custom code early 
» Big room for improvement in tools 
® Simulation and fuzzing 


» Open Virtual Platform (www.ovpworld.org) has modules 
for ARC600 and ARC700 (ARCompact-based) 


» They claim that it's easy to extend the models with 
emulation for custom hardware 


» The simulator has GDB stub for debugging 
» Debugging and fuzzing should be possible 
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Thank you! 





Questions? 


igor@hex-rays.com 
skochinsky@gmail.com 
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